ManageEngine Browser Security Plus – Centrally manage web browsers

• Author
• Recent Posts

Timothy Warner

Timothy Warner is a Microsoft Cloud and Datacenter Management Most Valuable Professional (MVP) who is based in Nashville, TN. Check out his Azure and Windows Server video training at Pluralsight, and feel free to reach out to Tim via Twitter.

Latest posts by Timothy Warner (see all)

• Azure PowerShell vs. Azure CLI - Wed, Mar 15 2023
• Use Azure Storage for backup - Thu, Feb 23 2023
• Azure Data Studio vs. SQL Server Management (SSMS) - Wed, Feb 8 2023

As a working Windows systems administrator, you know that Group Policy in Active Directory Domain Services (AD DS) gives you a degree of centralized control over Microsoft's own web browsers, Edge and Internet Explorer.

However, nowadays in today's Bring Your Own Device (BYOD) and Corporate Owned, Personally Enabled (COPE) IT landscape, your users likely prefer non-Microsoft browsers such as Google Chrome or Mozilla Firefox.

How can you enforce your organizational security policies, given this cross-vendor web browser context? ManageEngine developed a point solution called Browser Security Plus that addresses just this use case. Let's take a look.

Browser Security Plus in a nutshell

Browser Security Plus (BSP) is a software-as-a-service (SaaS) application that consists of the following components:

• Server services (the server itself, a notification service, and an Apache web server service)
• A web-based management interface
• An .msi agent

Although the Browser Security Plus server includes open-source components, this solution is aimed at Windows-based servers and endpoints. Moreover, the supported browser list noticeably does not include Apple Safari:

• Microsoft Edge
• Microsoft Internet Explorer
• Google Chrome
• Mozilla Firefox

The BSP core feature set incorporates the following four value propositions:

• Detect: Gain visibility into which browsers your users use and which browser add-ons they have installed
• Enforce: Deploy security configurations to mitigate phishing and malware attacks
• Control: Regulate access to browser add-ons and browser-based apps
• Audit: Report on browser usage and policy compliance

Installation and configuration

Per the Browser Security Plus documentation, you install the server on a Windows Server or even a Windows Client device that meets reasonably low system requirements. As I said, all server management occurs via a central web application that listens on TCP port 9393 for HTTPS and TCP port 9030 for HTTP, by default.

The default login is a disappointing admin/admin combination; of course you will want to perform a number of post-installation tasks right away:

• Change the admin account password
• Install your own private or public SSL/TLS certificate to protect the management site
• Configure proxy and/or mail server IP addresses as appropriate

The following screenshot shows the BSP Admin global settings page:

Configuring admin settings in BSP

After you configure the BSP server itself, it's time to deploy the agent to your Windows-based endpoints. Navigate to Agent > Active Directory and add your AD domain to the tool by specifying domain administrative credentials.

You now can add computers and deploy the agent directly from the Scope of Management page, shown in the next screenshot.

Deploying the BSP agent to domain or workgroup joined devices

You will also want to navigate to Manage > Groups & Computers and assign computers with similar browser requirements into one or more groups.

Defining our first browser management policy

Oh boy—where to begin? There are so many management options to choose from in this tool. First, from the Manage page, check out:

• Sites Group: Create groups of website URLs you want to add to your policies as one unit
• Extension Repository: Pre-populate browser extensions either required for your users to have or make them available to them optionally

Adding an authorized browser extension to BSP

Now head over to the Policies page in the BSP web management portal. Here are the general policy categories:

• Threat Prevention: Allow or restrict file downloads, enable a phishing filter, or require strict digital certificate revocation checking
• Data Leakage Prevention: Apply digital rights management (DRM) policies, such as restricting the user's ability to screenshot the browser, print a webpage, and so forth
• Add-on Management: Control which browser extensions users can and cannot install (shown in the next screenshot)
• Web Isolation: Block data persistence between browsing sessions and restrict iFrame behavior
• Browser Lockdown: Convert the browser to kiosk mode when accessing certain URLs
• Browser Router: Manage inter-browser compatibility issues by redirecting traffic to particular browser(s)
• Java Manager: Control access to the Java Runtime Environment on users' computers
• Browser Customization: Configure content restrictions, URL access rules, and default home page; control browser startup behavior

Configuring a BSP browser security policy

The client experience

By default, the user is unable either to modify the BSP agent properties or install the agent. I show you this in the next screenshot.

BSP agent controls are out of the user's reach

From there, the product simply works. For example, in my lab environment I created a strict Add-on Management policy in which users cannot install their own Chrome extensions, and instead can only install extensions on my whitelist.

As you can see in the following screenshot, the product prevents the user from undertaking a restricted action.

A BSP block displayed to the end user

Two criticisms I have of the BSP end-user experience are:

• I sometimes needed to reassociate a policy manually to a management group or to individual managed computers to get the policy to "take" on the endpoint
• The block messages are not particularly descriptive or user-friendly

Reporting on browser usage and security policy

BSP includes a number of dashboards and built-in reports on its Insights page to help you gain insight on your user base, their browsing habits, and their endpoint compliance. Some of the built-in reports include:

• Unsecure (unsigned) plug-ins
• Phishing filter compliance status
• Outdated plug-ins
• Potentially harmful extensions
• Computers with or without a specific extension
• Computers with or without a specific plug-in

I show you the Browsers dashboard in my lab environment next:

A built in BSP dashboard

The web interface allows you to view your report data as a table, customize visible columns, and export your reports as PDF, CSV, or Excel documents.

The Compliance page lets you define the browser policy settings you need to track for compliance purposes and then report on your endpoints' current status.

Wrap-up

ManageEngine requires you ask them for a quote to determine their specific license prices, but I can tell you they license Browser Security Plus in two models:

• Annual subscription: Fixed cost per year that includes product support
• Perpetual model: One-time license fee with annual maintenance costs

In summary, I think BSP does a decent job at managing a multi-browser environment in a way that does not require a lot of additional hardware or software. On the other hand, I tend to dislike so-called "point solutions" and instead prefer more all-encompassing central management products.

If you do struggle with supporting multiple users with multiple browsers, and balance user convenience on one hand against regulatory/policy compliance on the other, you may want to take a closer look at ManageEngine Browser Security Plus.